Updating Your Website? Update Your Terms!

We are officially in the swing of 2020. Welcome to a new year—and a new decade! If you’re feeling ready for a change and updating your website, or even if you aren’t, now is a good time to take a look at your website’s Terms of Use, Terms of Sale, and Privacy Policy. If they are more than a couple of years old, you are probably behind on some important legal developments. If you “borrowed” them from another website or found them in an online template, they may be causing you more harm than good. If you have no terms at all, you may even be violating the law.

Why are terms so important?

Terms of Use

A website’s Terms of Use are there primarily to protect your business. They are a contract between your company and the users of the website. They give you one more tool for taking action against anyone who misuses your company’s website, from hacking to copyright infringement to sharing inappropriate content. If your website allows its users to share information, posts, and so on, the Terms of Use are also the best place for you to share your company’s DMCA take-down procedures, which help protect your company from liability if a website user infringes on a third party’s copyright rights. They are also where to share any guidelines you have for users about what they are or are not allowed to post on your company’s website. And if you haven’t updated your Terms of Use recently, you may not have kept up with shifting rules about how to ensure those terms are binding on your website’s users.

Terms of Sale

If you sell products on your website, the Terms of Sale are also there primarily to protect your business. They are a contract between your company and anyone who makes a purchase on your website. They govern who bears what risks: when is an order official? What happens if you don’t have the product in stock? When or why can your customer return products for a refund or a store credit? Having clear, unambiguous Terms of Sale can help protect both you and your customers.

Privacy Policy

Finally, what is arguably the most important document: the Privacy Policy. This document informs your website users what information you are collecting from them and how you are using it. There are laws in at least three states that require you to have a Privacy Policy and set out specific requirements for what the Privacy Policy must cover. Other states don’t have specific requirements for your policy, but do have specific requirements for the kinds of security and procedures you need to maintain—and it could be a problem if you don’t describe what you’re doing accurately in your Privacy Policy. It is absolutely critical that your Privacy Policy accurately describe your practices, and if those state laws apply to your company, that it comply with them. Your company may also have additional rules to follow and disclosures to make if it is in a regulated industry like finance or health care. The consequences of non-compliance can be pretty draconian, so it’s better to comply than to

So you need to make an update. What do you do?

First, consider how well your current terms are working for you. Maybe you’ve had a dispute with a customer about a product sale and want to make sure that you don’t have to go through that again. Maybe you host a web forum and have noticed some troubling behavior you would like to ban in the future. Maybe you are aware of some of those new state privacy laws, and know you aren’t in compliance, but just haven’t had a chance to get around to fixing things yet. Maybe you updated your website and you aren’t quite sure if your old Privacy Policy is still accurate.

Second, gather some information from your web developer. What kinds of personal information are you collecting? What kinds of non-personal information are you collecting? What kinds of technology are you using to track your users? Is there anything your developer has noticed website users doing that they shouldn’t be?

Third, contact our office to help you make updates. Your attorney will ask you questions about your website, about your business, and about your industry, and help you create terms for your website that will reflect your business’s unique needs.

You Detected a Data Breach. Now What?

You have detected a data breach. Alert!

You are the CEO of a mid-size company. As you are going about your day, minding your business, you get a call from your security department. It’s a call you really didn’t want. Security has detected suspicious file movements and wants your directions about what to do next. You have likely suffered a data breach.

Now what?

Ideally, you will go to your shelf and pull out your executive copy of the company’s data breach plan. But what if you don’t have a plan?

As with most policies, the time to develop your data breach plan is “before you need it.” In this case, it’s important for two main reasons. First, the law requires you to have a plan if you have Massachusetts customers (as part of a Written Information Security Plan, or WISP) or are in one of any number of regulated industries. Second, odds are high that your business will suffer a data breach sooner or later.

If you don’t have a plan yet, you are not alone. About 20% of companies have not yet developed a plan, according to a 2015 Ponemon study. If you do have a plan but aren’t totally confident in it, again, you are not alone. About 2/3 of companies with a plan weren’t confident in their plans in the same study. If you don’t have a plan, or if you do have a plan and wonder whether it covers everything it should, this post is for you.

Your company’s data breach plan should include each of these important elements:

    The Right Crowd. When you develop your plan, you should include at minimum your security, technology, legal, customer service, and PR/communications folks, as well as representatives from any areas specifically affected. For example, include someone from HR when developing policies about handling HR data. Depending on the size of your organization, this group might include anywhere from 2 people to 20. In final form, your plan should include the roles and responsibilities of people from all of these groups as well. If you don’t have the right people in the room from the start, you face the very real possibility of chaos when a data breach occurs.

    Administrative, Technical, and Physical Safeguards. Your plan should cover how you are going to keep your data as safe as possible. You may not be able to prevent every breach, but you can reduce the number and severity of breaches by taking some basic cybersecurity steps. Administrative safeguards have to do with people’s behaviors and knowledge. Examples include policies about access to and use of data, hardware, and software; background checks; agreements; and training. Technical safeguards have to do with preventing access electronically. Examples include encryption, separating identifier and content data, roles-based systems access, and regular logging and auditing of access to systems. Physical safeguards have to do with preventing physical access to sensitive information. Examples include locked filing cabinets, secure workstations, video surveillance, biometric locks, and ID badges.

    Business Continuity. Your plan should tell you how to keep your business running if you do not have access to your computers or files. This may or may not be included in your normal business continuity plan, so be sure to check. A natural disaster that takes out one of your two locations will play out very differently from a ransomeware attack that ties up your entire network.

    Specific Steps. A data breach plan should ideally cover exactly who does what, and when. In the heat of the moment, your employees may not be thinking clearly; your plan should guide them so that they avoid panicked mistakes. In creating the plan, your organization should spend some time figuring out what its greatest vulnerabilities are and how it will address a resulting breach should it occur. (Ideally, of course, you will find ways to reduce these vulnerabilities during the course of developing your plan, but we live in the real world where time and budget are always constraints.) A data breach plan should cover these specific steps:

    • Escalation: When do you contact your internal and external security team and lawyers? When do you contact your Chief Information Officer? CEO? Your board? If there is any indication of a major incident, your first call should be to your data forensics consultant; the consultant will help you avoid accidentally harming your own systems or destroying any evidence. Beyond that, your next calls will depend a great deal on your organizational structure and preferences.
    • Investigation. If your business can afford it, you should enlist outside help with a data breach; legal, PR, and data forensics consultants will have experience that you may not have internally. They will also be able to give you perspective in a stressful situation. It is important to know who you will contact for outside help ahead of time. Be sure to keep their contact information in your breach plan. During the course of investigation, no matter who is conducting it, it is most important that you avoid destroying evidence, notify law enforcement, and ask the right questions: What specifically was compromised? What can we do to prevent further damage? Can this system be quarantined? What data can be salvaged? What data can we still trust? Can we trace who did it? And perhaps most importantly, is it a data breach as defined by law?
    • Most laws and regulations define “data breach” slightly differently from one another. Generally, though, a data breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.

    • Responses/Reporting. If you determine that your incident is a data breach under applicable law, you will need to report the breach. The law or regulation that applies to your situation will tell you who you need to contact. Most of the time, you will need to tell law enforcement and the people whose information was affected by the breach. You may also need to tell investors, state attorneys general, regulators, credit reporting agencies, or the media. In order to expedite reporting, you should consider having template versions of communications to these parties in your data breach plan.
    • Remediation. First, protect your customers from further damage. Make sure that any information that has been placed on the web is removed, including information on cached sites. Second, make sure that your company is protected for the future. Ideally, the same kind of incident should never happen to the same company twice. After the excitement has died down, evaluate what happened. Follow any steps recommended by your data forensics consultant. Consider whether you need to revamp any contractor relationships, contracts, technology, training programs, or physical safeguards.
    • Re-Evaluation and Practice. Take a look at your breach plan. How well did it perform? Would you do something differently next time? If so, amend the plan. If the plan worked well, practice it. You should run internal and external drills regularly, so use this opportunity for another run-through.

And now? If you already have a plan, great! You should make sure it contains all of these elements, then practice it this week. If you do not have a plan, don’t panic! Gather the folks in your company who need to be involved and develop one. This week.

Does your company have a plan? Do you trust that it will work if you need to implement it tomorrow?